• MITRE logo
  • matrix
  • artifacts
  • about
  • resources
  • contribute
  • faq
  • NSA logo
Esc

Event Triggered Execution - T1546

(ATT&CK® Technique)

Subtechniques



D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

graph LR; T1546["Event Triggered Execution"] --> |executes| Command["Command"]; class T1546 OffensiveTechniqueNode; class Command ArtifactNode; click Command href "/dao/artifact/d3f:Command"; click T1546 href "/offensive-technique/attack/T1546/"; click Command href "/dao/artifact/d3f:Command"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabase["System Configuration Database"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabase href "/dao/artifact/d3f:SystemConfigurationDatabase"; T1546["Event Triggered Execution"] --> |produces| Process["Process"]; class T1546 OffensiveTechniqueNode; class Process ArtifactNode; click Process href "/dao/artifact/d3f:Process"; click T1546 href "/offensive-technique/attack/T1546/"; click Process href "/dao/artifact/d3f:Process"; T1546["Event Triggered Execution"] --> |creates| Shim["Shim"]; class T1546 OffensiveTechniqueNode; class Shim ArtifactNode; click Shim href "/dao/artifact/d3f:Shim"; click T1546 href "/offensive-technique/attack/T1546/"; click Shim href "/dao/artifact/d3f:Shim"; T1546["Event Triggered Execution"] --> |invokes| CreateProcess["Create Process"]; class T1546 OffensiveTechniqueNode; class CreateProcess ArtifactNode; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; click T1546 href "/offensive-technique/attack/T1546/"; click CreateProcess href "/dao/artifact/d3f:CreateProcess"; T1546["Event Triggered Execution"] --> |may-create| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |modifies| EventLog["Event Log"]; class T1546 OffensiveTechniqueNode; class EventLog ArtifactNode; click EventLog href "/dao/artifact/d3f:EventLog"; click T1546 href "/offensive-technique/attack/T1546/"; click EventLog href "/dao/artifact/d3f:EventLog"; T1546["Event Triggered Execution"] --> |modifies| ConfigurationResource["Configuration Resource"]; class T1546 OffensiveTechniqueNode; class ConfigurationResource ArtifactNode; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; click T1546 href "/offensive-technique/attack/T1546/"; click ConfigurationResource href "/dao/artifact/d3f:ConfigurationResource"; T1546["Event Triggered Execution"] --> |produces| IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; class T1546 OffensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; click T1546 href "/offensive-technique/attack/T1546/"; click IntranetAdministrativeNetworkTraffic href "/dao/artifact/d3f:IntranetAdministrativeNetworkTraffic"; T1546["Event Triggered Execution"] --> |creates| ExecutableFile["Executable File"]; class T1546 OffensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1546["Event Triggered Execution"] --> |may-modify| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |modifies| SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class T1546 OffensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; click T1546 href "/offensive-technique/attack/T1546/"; click SystemConfigurationDatabaseRecord href "/dao/artifact/d3f:SystemConfigurationDatabaseRecord"; T1546["Event Triggered Execution"] --> |loads| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |loads| SharedLibraryFile["Shared Library File"]; class T1546 OffensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; click T1546 href "/offensive-technique/attack/T1546/"; click SharedLibraryFile href "/dao/artifact/d3f:SharedLibraryFile"; T1546["Event Triggered Execution"] --> |may-create| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-create| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode; class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |may-modify| ExecutableScript["Executable Script"]; class T1546 OffensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableScript href "/dao/artifact/d3f:ExecutableScript"; T1546["Event Triggered Execution"] --> |may-modify| PropertyListFile["Property List File"]; class T1546 OffensiveTechniqueNode; class PropertyListFile ArtifactNode; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; click T1546 href "/offensive-technique/attack/T1546/"; click PropertyListFile href "/dao/artifact/d3f:PropertyListFile"; T1546["Event Triggered Execution"] --> |modifies| ExecutableBinary["Executable Binary"]; class T1546 OffensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; click T1546 href "/offensive-technique/attack/T1546/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1546["Event Triggered Execution"] --> |modifies| ShimDatabase["Shim Database"]; class T1546 OffensiveTechniqueNode; class ShimDatabase ArtifactNode; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; click T1546 href "/offensive-technique/attack/T1546/"; click ShimDatabase href "/dao/artifact/d3f:ShimDatabase"; T1546["Event Triggered Execution"] --> |modifies| UserInitConfigurationFile["User Init Configuration File"]; class T1546 OffensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; click T1546 href "/offensive-technique/attack/T1546/"; click UserInitConfigurationFile href "/dao/artifact/d3f:UserInitConfigurationFile"; T1546["Event Triggered Execution"] --> |modifies| PowerShellProfileScript["PowerShell Profile Script"]; class T1546 OffensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; click T1546 href "/offensive-technique/attack/T1546/"; click PowerShellProfileScript href "/dao/artifact/d3f:PowerShellProfileScript"; DecoyFile["Decoy File"] --> | spoofs | ExecutableBinary["Executable Binary"]; DecoyFile["Decoy File"] -.-> | May Deceive | T1546["Event Triggered Execution"] ; class DecoyFile DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | SharedLibraryFile["Shared Library File"]; class DecoyFile DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | UserInitConfigurationFile["User Init Configuration File"]; class DecoyFile DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | PowerShellProfileScript["PowerShell Profile Script"]; class DecoyFile DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | PropertyListFile["Property List File"]; class DecoyFile DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableScript["Executable Script"]; class DecoyFile DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] --> | spoofs | ExecutableFile["Executable File"]; class DecoyFile DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; EmulatedFileAnalysis["Emulated File Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; DynamicAnalysis["Dynamic Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class EmulatedFileAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class DynamicAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class DynamicAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; ConnectionAttemptAnalysis["Connection Attempt Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ConnectionAttemptAnalysis["Connection Attempt Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ConnectionAttemptAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ConnectionAttemptAnalysis href "/technique/d3f:ConnectionAttemptAnalysis"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class RemoteTerminalSessionDetection DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class NetworkTrafficCommunityDeviation DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; AdministrativeNetworkActivityAnalysis["Administrative Network Activity Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class AdministrativeNetworkActivityAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click AdministrativeNetworkActivityAnalysis href "/technique/d3f:AdministrativeNetworkActivityAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; Client-serverPayloadProfiling["Client-server Payload Profiling"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class Client-serverPayloadProfiling DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | CreateProcess["Create Process"]; SystemCallAnalysis["System Call Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class SystemCallAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | Process["Process"]; ProcessSpawnAnalysis["Process Spawn Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProcessSpawnAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSpawnAnalysis["Process Spawn Analysis"] --> | analyzes | CreateProcess["Create Process"]; class ProcessSpawnAnalysis DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ProcessSpawnAnalysis href "/technique/d3f:ProcessSpawnAnalysis"; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] --> | analyzes | Process["Process"]; ProcessSelf-ModificationDetection["Process Self-Modification Detection"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProcessSelf-ModificationDetection DefensiveTechniqueNode; class Process ArtifactNode; click ProcessSelf-ModificationDetection href "/technique/d3f:ProcessSelf-ModificationDetection"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] --> | analyzes | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; FileEncryption["File Encryption"] --> | encrypts | ExecutableScript["Executable Script"]; FileEncryption["File Encryption"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class FileEncryption DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableBinary["Executable Binary"]; LocalFilePermissions["Local File Permissions"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableScript["Executable Script"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | PropertyListFile["Property List File"]; class LocalFilePermissions DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | ExecutableFile["Executable File"]; class LocalFilePermissions DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | ExecutableBinary["Executable Binary"]; class FileEncryption DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; SystemConfigurationPermissions["System Configuration Permissions"] --> | restricts | SystemConfigurationDatabase["System Configuration Database"]; SystemConfigurationPermissions["System Configuration Permissions"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class SystemConfigurationPermissions DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click SystemConfigurationPermissions href "/technique/d3f:SystemConfigurationPermissions"; FileEncryption["File Encryption"] --> | encrypts | PropertyListFile["Property List File"]; class FileEncryption DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | ExecutableFile["Executable File"]; class FileEncryption DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | PowerShellProfileScript["PowerShell Profile Script"]; class FileEncryption DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | UserInitConfigurationFile["User Init Configuration File"]; class LocalFilePermissions DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEncryption["File Encryption"] --> | encrypts | SharedLibraryFile["Shared Library File"]; class FileEncryption DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] --> | encrypts | UserInitConfigurationFile["User Init Configuration File"]; class FileEncryption DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | PowerShellProfileScript["PowerShell Profile Script"]; class LocalFilePermissions DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] --> | restricts | SharedLibraryFile["Shared Library File"]; class LocalFilePermissions DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SoftwareUpdate["Software Update"] --> | updates | Shim["Shim"]; SoftwareUpdate["Software Update"] -.-> | May Harden | T1546["Event Triggered Execution"] ; class SoftwareUpdate DefensiveTechniqueNode; class Shim ArtifactNode; click SoftwareUpdate href "/technique/d3f:SoftwareUpdate"; ProcessTermination["Process Termination"] --> | terminates | Process["Process"]; ProcessTermination["Process Termination"] -.-> | May Evict | T1546["Event Triggered Execution"] ; class ProcessTermination DefensiveTechniqueNode; class Process ArtifactNode; click ProcessTermination href "/technique/d3f:ProcessTermination"; ExecutableAllowlisting["Executable Allowlisting"] --> | restricts | CreateProcess["Create Process"]; ExecutableAllowlisting["Executable Allowlisting"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class ExecutableAllowlisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | ExecutableScript["Executable Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | isolates | Process["Process"]; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class Process ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; Hardware-basedProcessIsolation["Hardware-based Process Isolation"] --> | restricts | CreateProcess["Create Process"]; class Hardware-basedProcessIsolation DefensiveTechniqueNode; class CreateProcess ArtifactNode; click Hardware-basedProcessIsolation href "/technique/d3f:Hardware-basedProcessIsolation"; ExecutableDenylisting["Executable Denylisting"] --> | restricts | CreateProcess["Create Process"]; ExecutableDenylisting["Executable Denylisting"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class ExecutableDenylisting DefensiveTechniqueNode; class CreateProcess ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | PowerShellProfileScript["PowerShell Profile Script"]; class ExecutableDenylisting DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] --> | blocks | PowerShellProfileScript["PowerShell Profile Script"]; class ExecutableAllowlisting DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableBinary["Executable Binary"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableFile["Executable File"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] --> | blocks | ExecutableScript["Executable Script"]; class ExecutableDenylisting DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; NetworkTrafficFiltering["Network Traffic Filtering"] --> | filters | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; NetworkTrafficFiltering["Network Traffic Filtering"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class NetworkTrafficFiltering DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ConfigurationInventory["Configuration Inventory"] --> | inventories | ConfigurationResource["Configuration Resource"]; ConfigurationInventory["Configuration Inventory"] -.-> | May Model | T1546["Event Triggered Execution"] ; class ConfigurationInventory DefensiveTechniqueNode; class ConfigurationResource ArtifactNode; click ConfigurationInventory href "/technique/d3f:ConfigurationInventory"; ConfigurationInventory["Configuration Inventory"] --> | inventories | ShimDatabase["Shim Database"]; class ConfigurationInventory DefensiveTechniqueNode; class ShimDatabase ArtifactNode; click ConfigurationInventory href "/technique/d3f:ConfigurationInventory"; ConfigurationInventory["Configuration Inventory"] --> | inventories | SystemConfigurationDatabaseRecord["System Configuration Database Record"]; class ConfigurationInventory DefensiveTechniqueNode; class SystemConfigurationDatabaseRecord ArtifactNode; click ConfigurationInventory href "/technique/d3f:ConfigurationInventory"; DataInventory["Data Inventory"] --> | inventories | SystemConfigurationDatabase["System Configuration Database"]; DataInventory["Data Inventory"] -.-> | May Model | T1546["Event Triggered Execution"] ; class DataInventory DefensiveTechniqueNode; class SystemConfigurationDatabase ArtifactNode; click DataInventory href "/technique/d3f:DataInventory"; SoftwareInventory["Software Inventory"] --> | inventories | Shim["Shim"]; SoftwareInventory["Software Inventory"] -.-> | May Model | T1546["Event Triggered Execution"] ; class SoftwareInventory DefensiveTechniqueNode; class Shim ArtifactNode; click SoftwareInventory href "/technique/d3f:SoftwareInventory"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableBinary["Executable Binary"]; FileAnalysis["File Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class FileAnalysis DefensiveTechniqueNode; class ExecutableBinary ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; class FileAnalysis DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | PropertyListFile["Property List File"]; class FileAnalysis DefensiveTechniqueNode; class PropertyListFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableScript["Executable Script"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | ExecutableFile["Executable File"]; class FileAnalysis DefensiveTechniqueNode; class ExecutableFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | PowerShellProfileScript["PowerShell Profile Script"]; class FileAnalysis DefensiveTechniqueNode; class PowerShellProfileScript ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] --> | analyzes | SharedLibraryFile["Shared Library File"]; class FileAnalysis DefensiveTechniqueNode; class SharedLibraryFile ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] --> | analyzes | UserInitConfigurationFile["User Init Configuration File"]; UserSessionInitConfigAnalysis["User Session Init Config Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class UserSessionInitConfigAnalysis DefensiveTechniqueNode; class UserInitConfigurationFile ArtifactNode; click UserSessionInitConfigAnalysis href "/technique/d3f:UserSessionInitConfigAnalysis"; ProcessLineageAnalysis["Process Lineage Analysis"] --> | analyzes | Process["Process"]; ProcessLineageAnalysis["Process Lineage Analysis"] -.-> | May Detect | T1546["Event Triggered Execution"] ; class ProcessLineageAnalysis DefensiveTechniqueNode; class Process ArtifactNode; click ProcessLineageAnalysis href "/technique/d3f:ProcessLineageAnalysis"; MandatoryAccessControl["Mandatory Access Control"] --> | restricts | CreateProcess["Create Process"]; MandatoryAccessControl["Mandatory Access Control"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class MandatoryAccessControl DefensiveTechniqueNode; class CreateProcess ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; MandatoryAccessControl["Mandatory Access Control"] --> | isolates | Process["Process"]; class MandatoryAccessControl DefensiveTechniqueNode; class Process ArtifactNode; click MandatoryAccessControl href "/technique/d3f:MandatoryAccessControl"; SystemCallFiltering["System Call Filtering"] --> | filters | CreateProcess["Create Process"]; SystemCallFiltering["System Call Filtering"] -.-> | May Isolate | T1546["Event Triggered Execution"] ; class SystemCallFiltering DefensiveTechniqueNode; class CreateProcess ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; ActivePhysicalLinkMapping["Active Physical Link Mapping"] --> | produces | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ActivePhysicalLinkMapping["Active Physical Link Mapping"] -.-> | May Model | T1546["Event Triggered Execution"] ; class ActivePhysicalLinkMapping DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ActivePhysicalLinkMapping href "/technique/d3f:ActivePhysicalLinkMapping"; ActiveLogicalLinkMapping["Active Logical Link Mapping"] --> | produces | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; ActiveLogicalLinkMapping["Active Logical Link Mapping"] -.-> | May Model | T1546["Event Triggered Execution"] ; class ActiveLogicalLinkMapping DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click ActiveLogicalLinkMapping href "/technique/d3f:ActiveLogicalLinkMapping"; PassiveLogicalLinkMapping["Passive Logical Link Mapping"] --> | monitors | IntranetAdministrativeNetworkTraffic["Intranet Administrative Network Traffic"]; PassiveLogicalLinkMapping["Passive Logical Link Mapping"] -.-> | May Model | T1546["Event Triggered Execution"] ; class PassiveLogicalLinkMapping DefensiveTechniqueNode; class IntranetAdministrativeNetworkTraffic ArtifactNode; click PassiveLogicalLinkMapping href "/technique/d3f:PassiveLogicalLinkMapping";
json





Use of the MITRE D3FEND™ Knowledge Graph and website is subject to the Terms of Use. Use of the MITRE D3FEND website is subject to the MITRE D3FEND Privacy Policy. MITRE D3FEND is funded by the National Security Agency (NSA) Cybersecurity Directorate and managed by the National Security Engineering Center (NSEC) which is operated by The MITRE Corporation. MITRE D3FEND; and the MITRE D3FEND logo are trademarks of The MITRE Corporation. MITRE ATT&CK® and ATT&CK® are registered trademarks of The MITRE Corporation. MITRE ATT&CK content is subject to the MITRE ATT&CK terms of use. This software was produced for the U. S. Government under Basic Contract No. W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause 252.227-7014 (FEB 2012)
© 2022 The MITRE Corporation.
Approved for Public Release; Distribution Unlimited #20-2338.